urelas | c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8b

General

Target

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
Size

413KB
MD5

b9f8bd887d225686446883ff875ccb90
SHA1

67090bd9de9213f1c08a0f400dd12925cf05daba
SHA256

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8b
SHA512

f33bf21f154ed5de651558ba377b993bae2e9bb376f0723320ccca8a7825a9fadfbd657b906e8c276311c097882a3fdce4ea83b2ab4e2274b0132ab34a9ccdfe
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODso:hU7M5ijWh0XOW4sEfeOT

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral1/files/0x0004000000004ed7-27.dat	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2700	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

rireq.exebujoo.exe

pid	Process
2164	rireq.exe
2832	bujoo.exe

Loads dropped DLL 3 IoCs

Processes:

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exerireq.exe

pid	Process
1884	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
1884	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
2164	rireq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exerireq.execmd.exebujoo.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rireq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bujoo.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

bujoo.exe

pid	Process
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe
2832	bujoo.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exerireq.exe

description	pid	Process	procid_target
PID 1884 wrote to memory of 2164	1884	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	31
PID 1884 wrote to memory of 2164	1884	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	31
PID 1884 wrote to memory of 2164	1884	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	31
PID 1884 wrote to memory of 2164	1884	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	31
PID 1884 wrote to memory of 2700	1884	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	32
PID 1884 wrote to memory of 2700	1884	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	32
PID 1884 wrote to memory of 2700	1884	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	32
PID 1884 wrote to memory of 2700	1884	c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe	32
PID 2164 wrote to memory of 2832	2164	rireq.exe	35
PID 2164 wrote to memory of 2832	2164	rireq.exe	35
PID 2164 wrote to memory of 2832	2164	rireq.exe	35
PID 2164 wrote to memory of 2832	2164	rireq.exe	35

C:\Users\Admin\AppData\Local\Temp\c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe
"C:\Users\Admin\AppData\Local\Temp\c50503812cd070efc167c8958b9b97e985e55737f6d766c7b9685709504d2a8bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\rireq.exe
  "C:\Users\Admin\AppData\Local\Temp\rireq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\bujoo.exe
    "C:\Users\Admin\AppData\Local\Temp\bujoo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
ef67289238daad92202b4c1fe4097f4f

SHA1
f71429724fe3c800d9b15077a0c28ebfed067caa

SHA256
35ca3054a3a03ae562b1270445ee4a7851c04364248f84b4feb4cd77f6502659

SHA512
500c3849490cce085e27ca20d7d46394789d0b39e64aa56f72772704bcd3820c431b02607e13fcbf966a11765c2d9281e9f7e0db9a88304363a3a5b9dc505ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cb716423da29d6b7e0bdbd3fbaf000eb

SHA1
f7aad7f4644f6bf9421a0ec6d2e5f5954065a208

SHA256
a96bc9db4cb55f708327e44db105fdd3cea99a7f214ce845f30705ec8e600f98

SHA512
96db2230cb6d16eff3e8326a6f6b5f2375c2ef82190bca6564759ad60d967d6f488f8592c33103b058ccfdaa73eae9280adbe01b9d735bcfa74d1e1c663d871a

Download Submit
\Users\Admin\AppData\Local\Temp\bujoo.exe

Filesize
212KB

MD5
ba65955e084ec45d5b7380c1a8a14613

SHA1
3044b2d53e4dd5f3e15943c8b3c6d89a8986bb31

SHA256
6b42f3b4edd401955364ef059c4569f20bf9b2e204179f3e35aca46890497fab

SHA512
5651292e2f23364abb3f8f1925f2ccd4465a9999bad0bebf5354a85cd3d17c3fd0f1473bbb0df1bbb9495472fea5f1a049df56fcb2eee36a8eabd1504b205bee

Download Submit
\Users\Admin\AppData\Local\Temp\rireq.exe

Filesize
413KB

MD5
46810f87c49d65e9b761797d83302ac8

SHA1
9bdc9b5a57f018d03280bcc519fd55211f7cef7b

SHA256
2612c37d004b7cf92f04d861c7d54612c52f8c8d4fc50b358106bd55436e6a3d

SHA512
fb6eea1a0a11489e12b5cf74c020e22f23ac2a40f99a143fc59d2cf3e24e8e311100bee8a918a7a803de838de2ec88ad62e051baf32e3aca3404c11c80e8e690

Download Submit
memory/1884-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1884-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1884-11-0x0000000002D10000-0x0000000002D75000-memory.dmp

Filesize
404KB

Download
memory/2164-31-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2164-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2164-24-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2832-32-0x0000000001230000-0x00000000012C4000-memory.dmp

Filesize
592KB

Download
memory/2832-33-0x0000000001230000-0x00000000012C4000-memory.dmp

Filesize
592KB

Download
memory/2832-34-0x0000000001230000-0x00000000012C4000-memory.dmp

Filesize
592KB

Download
memory/2832-35-0x0000000001230000-0x00000000012C4000-memory.dmp

Filesize
592KB

Download
memory/2832-37-0x0000000001230000-0x00000000012C4000-memory.dmp

Filesize
592KB

Download
memory/2832-38-0x0000000001230000-0x00000000012C4000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads